When I take a minute to think about it, I realize that I could be doing more to make life easier for law enforcement. I lock the door to my apartment when I’m not there, so if the cops want to search my place while I’m away, they’d have to remove my door first.
I live alone, and sometimes I’ll go to a restaurant or my boyfriend’s place without notifying anyone! I might even have my phone turned off so Google loses track of where I am. Police would have to engage in some detective work in order to determine my whereabouts.
If I’m not doing anything wrong, then why don’t I give my local police department keys to my front door and let them know when I’m leaving Toronto to meet friends? I shouldn’t have anything to hide, right?
So why do we have to encrypt our internet communications? If we decide to use Signal or WhatsApp for our conversations about which movie to watch at the megaplex or the implications of Scooter Braun buying Taylor Swift’s song catalogue, we could at least be courteous enough to let the government have a backdoor!
You can bet that there are people in US government who want that. As Eric Geller recently reported in Politico:
“Senior Trump administration officials met on Wednesday to discuss whether to seek legislation prohibiting tech companies from using forms of encryption that law enforcement can’t break—a provocative step that would reopen a long-running feud between federal authorities and Silicon Valley.
The encryption challenge, which the government calls ‘going dark,’ was the focus of a National Security Council meeting Wednesday morning that included the No. 2 officials from several key agencies, according to three people familiar with the matter.
Senior officials debated whether to ask Congress to effectively outlaw end-to-end encryption, which scrambles data so that only its sender and recipient can read it, these people told POLITICO. Tech companies like Apple, Google and Facebook have increasingly built end-to-end encryption into their products and software in recent years—billing it as a privacy and security feature but frustrating authorities investigating terrorism, drug trafficking and child pornography.”
Well, the top minds in cybersecurity all agree that backdoors or any other ways of weakening encryption put everyone at risk. Venafi’s own Kevin Bocek says:
“Once again, we have politicians trying to legislate what they do not understand. The message just doesn’t seem to be getting through—if you undermine encryption, create a backdoor, then you will weaken security defenses that are used by our very own government. It’s a really bad idea, once a backdoor is created it won’t stay secret for long and will just create blueprints for cyber attackers to steal private data and sneak into encrypted communications. I understand that it’s frustrating that police can’t access encrypted communications, but creating a backdoor isn’t the answer and it’s totally unrealistic to simply ban the use of such services – this will only hurt their legitimate, law abiding users.”
And as I’ve quoted Bruce Schneier:
“There is simply no way to secure US networks while at the same time leaving foreign networks open to eavesdropping and attack. There's no way to secure our phones and computers from criminals and terrorists without also securing the phones and computers of those criminals and terrorists. On the generalized worldwide network that is the Internet, anything we do to secure its hardware and software secures it everywhere in the world. And everything we do to keep it insecure similarly affects the entire world.
This leaves us with a choice: either we secure our stuff, and as a side effect also secure their stuff; or we keep their stuff vulnerable, and as a side effect keep our own stuff vulnerable. It's actually not a hard choice. An analogy might bring this point home. Imagine that every house could be opened with a master key, and this was known to the criminals.
Fixing those locks would also mean that criminals' safe houses would be more secure, but it's pretty clear that this downside would be worth the trade-off of protecting everyone's house.
With the Internet+ increasing the risks from insecurity dramatically, the choice is even more obvious. We must secure the information systems used by our elected officials, our critical infrastructure providers, and our businesses.
Yes, increasing our security will make it harder for us to eavesdrop, and attack, our enemies in cyberspace. (It won't make it impossible for law enforcement to solve crimes; I'll get to that later in this chapter.) Regardless, it's worth it. If we are ever going to secure the Internet+, we need to prioritize defense over offense in all of its aspects.”
Governments all over the world are considering encryption backdoors. GCHQ is a British spy agency. They have proposed the implementation of “ghost protocols” into end-to-end encryption services, to enable "an extra end" that would serve as a backdoor for law enforcement and intelligence agencies.
This past May, a group of non-profit organizations, tech companies, and cybersecurity experts sent an open letter to GCHQ, highlighting their concerns. The group includes the Electronic Frontier Foundation, The Tor Project, Reports Without Borders, Apple, Google, WhatsApp, Microsoft, Jon Callas, and Bruce Schneier, among others. They wrote:
“The GCHQ piece outlines a proposal for ‘silently adding a law enforcement participant to a group chat or call.’ This proposal to add a ‘ghost’ user would violate important human rights principles, as well as several of the principles outlined in the GCHQ piece. Although the GCHQ officials claim that ‘you don’t even have to touch the encryption’ to implement their plan, the ‘ghost’ proposal would pose serious threats to cybersecurity and thereby also threaten fundamental human rights, including privacy and free expression.
In particular, as outlined below, the ghost proposal would create digital security risks by undermining authentication systems, by introducing potential unintentional vulnerabilities, and by creating new risks of abuse or misuse of systems. Importantly, it also would undermine the GCHQ principles on user trust and transparency set forth in the piece.”
If our industry is able to prevent these latest attempts by US and UK governments from successfully implementing government backdoors in encryption, the fight will still be long from over. I have researched and written about dozens of government backdoor proposals over the years, and unfortunately I’ll probably write about more in the future. We can’t give up, we must stand firm and in solidarity to maintain strong encryption in all of our computer technology systems.